fix DB password rotation desync in 5 stacks

Vault DB engine rotates passwords weekly but 5 stacks baked passwords
at Terraform plan time, causing stale credentials until next apply.

- real-estate-crawler: add vault-database ESO, use secret_key_ref in 3 deployments
- nextcloud: switch Helm chart to existingSecret for DB password
- grafana: add vault-database ESO, use envFromSecrets in Helm values
- woodpecker: use extraSecretNamesForEnvFrom, remove plan-time data source chain
- affine: add vault-database ESO, use secret_key_ref in deployment + init container
This commit is contained in:
Viktor Barzin 2026-03-17 07:39:29 +00:00
parent 8d8c8db737
commit c8b42f78df
10 changed files with 166 additions and 41 deletions

View file

@ -85,9 +85,12 @@ resource "kubernetes_manifest" "external_secret" {
}
# DB credentials from Vault database engine (rotated every 24h)
# Updated: ExternalSecret now provides DATABASE_DATASOURCE
# which gets injected via envFrom and auto-updates when password rotates
# ExternalSecret provides WOODPECKER_DATABASE_DATASOURCE injected via
# server.extraSecretNamesForEnvFrom auto-updates when password rotates
resource "kubernetes_manifest" "db_external_secret" {
field_manager {
force_conflicts = true
}
manifest = {
apiVersion = "external-secrets.io/v1beta1"
kind = "ExternalSecret"
@ -105,8 +108,7 @@ resource "kubernetes_manifest" "db_external_secret" {
name = "woodpecker-db-creds"
template = {
data = {
# Key matches the Woodpecker Helm chart env var name
DATABASE_DATASOURCE = "postgres://woodpecker:{{ .password }}@${var.postgresql_host}:5432/woodpecker?sslmode=disable"
WOODPECKER_DATABASE_DATASOURCE = "postgres://woodpecker:{{ .password }}@${var.postgresql_host}:5432/woodpecker?sslmode=disable"
}
}
}
@ -215,7 +217,6 @@ resource "helm_release" "woodpecker" {
github_client_id = data.vault_kv_secret_v2.secrets.data["github_client_id"]
github_client_secret = data.vault_kv_secret_v2.secrets.data["github_client_secret"]
agent_secret = data.vault_kv_secret_v2.secrets.data["agent_secret"]
postgresql_host = var.postgresql_host
forgejo_client_id = data.vault_kv_secret_v2.secrets.data["forgejo_client_id"]
forgejo_client_secret = data.vault_kv_secret_v2.secrets.data["forgejo_client_secret"]
forgejo_url = var.woodpecker_forgejo_url